It couldn’t be more timely to see a couple blog posts on the topic of threat hunting, one from Robert M. Lee and another by Richard Bejtlich. (Updated to also add some Twitter comments links, as I think I agree with this position.) Reason? The past couple weeks I’ve been reading papers and other posts and job descriptions of “threat hunting,” as I try to figure out what that means and what it does in a security organization.

See, I’ve been part of the infosec community since around 2001 in some for or other. But around 2014-2015 or so, I fell a bit out of touch; I didn’t read much from twitter or other blogs and feeds of mine and didn’t really do any cons or other learning. As such, I turn around in 2016 and plug back in, and things like “kill chain” and “threat hunting” take me a bit by surprise at how suddenly they’ve popped up. And in the case of the latter term, I’ve been trying to figure out where it came from and what it really means. I mean, I like the idea of the task, but it doesn’t seem like a full time position to me; it seems like an amalgamation of other duties, or maybe just a way to save money on external pen/red team tests by getting internal offense members, and concocting some additional things for them to do so you don’t lose them to boredom.

(Side note, it’s an interesting time, where organizations want to do more than just strictly blue things, but it’s hard to make sure your offense-minded folks don’t get bored or jump for those flashy full-time pentesting gigs. Likewise, blue tools and signatures are reaching their limits of usefulness, but other techniques and detection and analysis require more effort, intelligence, and experience to wield for proper value; enter offensive minds.)

My confusion stems from hearing about the tasks, and not being sure if the hunter is looking for latent, active compromises in dark corners of the enterprise, or if they are testing for weak points in an organization’s posture and providing fixes. Or maybe they are like architects for new tools like UBA/UEBA as they attempt to emulate attackers and define how detection tools may help identify them better, especially when you have to rely on behavior and anomalies rather than hard signatures or IoCs (hey, there’s another surprise term that is new!). To me, security is not just about watching alerts in a SOC, but about constantly improving the position of the security functions. In a sense, I’m always looking for ways to have more complete visibility, or at least know where my blind spots may be. Role-playing and tabletop exercises help stimulate that thinking as well. Things like analyzing a new vulnerability announced and how to tell if that affects or has already affected me, or a new minor incident and what pieces of information are annoying to procure. Every blue question has a chance to improve the environment.

Also, is a threat hunter part of the blue team, part of the IR team, or part of an internal red team? Or maybe some combination of two or more of those areas; a sort of way to fill in some time between other tasks. Is it a way to get your SOC members something a little more mentally stimulating than watching alerts all day? Does it complement or replace role-playing exercises?

Anyway, I don’t have these answers yet, but these were timely articles on a topic I’ve been currently wrestling with.

Yearly, I try to make an achievable plan for studying and career goals and ideas. I’m not getting any younger, but even now my eyes are wider than my free time when it comes to wanting to learn things. It’s a “problem” I’ve had forever, but I definitely want to make sure as I make these year-long plans that I at least maintain some sanity. I’d mapped out my previous 2 years, and I am super happy with the process and my results, so I’ll push myself again some more this year. I’ve added 4 certs (plus the learning!) to my belt over the past 2 years (OSCP, OSWP, CCNA Cyber Ops, GCFA), plus all of the learning and growth that come with them, and I have some more lined up this year.

My theme for 2019 is going back to the offense, and specifically web app testing with some binary exploitation thrown in. Every year, I’ve been striving to alternate between being defense-focused or offense-focused in my formal training. We’ll see how well I keep that plan up!

For some of the items below, I have more fleshed out maps and resources to pursue than what I list here.

Formal Certs and Courses

• SANS SEC542 (GWAPT) at SANS East – GWAPT has been at the top of my list for SANS certs for a while. I have a long history of working with web servers, sites, coding, and attacking, but I still feel somewhat of a neophyte when it comes to web app testing (and I probably am intermediate at worst). I really want to beef that up, or at least give me something tangible for reassurance. I also want to take care of this earlier in the year than I did last year’s SANS course in May, so I’m hoping to get signed up for SANS East somewhat soon. This will be a cert I pursue, too, so that will add a few months of studying. Specifically, I want to feel better wielding BurpSuite (and other tools), attacking SQLi issues, and doing some automated and manual web app scanning and testing.
• TBD Second major training: Black Hat USA Trainings or SANS SEC573 (GPYC) Python or SANS SEC545 Cloud – I want to see what I can push for out of my work budget, so I’ve requested a second major training opportunity, but have left it more open-ended. I’ve also tried to pick things where I wouldn’t necessarily exit the event with the commitment of lots of studying for a follow-up cert. SEC573 will give me some excellent Python experience and I could still optionally pick up the cert. SEC545 was added later as a sort of acknowledgment that my AWS/Cloud specifics are a little weak in practice yet, and if work wants to send me to that, I’d be ok with using my second slot for it. If Black Hat gets chosen, I’d probably look for some further web app or other red team course to take, and then stay for Defcon on my own. This is pretty aggressive for me, but I’ll be super excited if I can make this happen.
• Linux+ – I wanted to get this slotted in this year for reasons (a study-buddy or two). I consider this a slightly more informal certification to pursue, and I already have a Linux Academy subscription anyway. My goal here is just to get better with formal Linux knowledge and try out some peer support/mentoring. I’ve long had this cert on my distant radar as one of the few ways to demonstrate Linux comfort on a resume.
• SLAE (+ OSCE prep) – OSCE continues to be on my radar, but it might be too much this year to slot it in for a full commitment. However, I would like to pursue my roadmap prep list to get there, which starts with tackling the SLAE from Pentester Academy and maybe some other companion topics. SLAE is very open-ended and I expect to learn a lot of things I’ve just not been exposed to before (assembly, shellcoding, etc).
• CCSP (Cloud) – Another nod to being a work-influenced topic, but I wouldn’t mind spending some time studying up for the ISC2 CCSP (Certified Cloud Security Professional) cert. Definitely the lowest priority on my list. I could even replace this with the AWS Architect certification, which I can study for through Linux Academy.
• Pentester Academy tracks (+Red Team Lab?) – I just recently signed up a subscription for Pentester Academy and want to make further plans to slot regularly learning from it into my free time. They have a Red Team Lab that I want to keep in mind, but is a lower priority (and extra cost).
• Linux Academy – Just an acknowledgement that I have this subscription active. What’s great is this will support not only Linux studies, but also cloud-related things.
• Splunk Fundamentals & Power User – I want to get better with Splunk, and the first steps will be to pursue the free Fundamentals training and certification, and then look at Power User. This may get higher priority if work pushes it, or if I get sent to Splunk .conf again in 2019, where I can take a course or the exam on site. This one really depends on some external work influence to prioritize it higher.

That’s serious aggressive for me. Even at my most conservative estimate, I should walk away from 2019 with GWAPT (2-4 months), Linux+ (month or two), SLAE certifications (2-4 months). With CCSP and Splunk and OSCE lurking around the corner. That’s some serious work I’d have cut out for me, and I totally know it. And I haven’t even gotten to informal topics I want to dive into over the next year! Thankfully, a few of them overlap…

Informal Topics

• Web app topics and GWAPT prep – I have several books and topics that will go into my preparations for the SEC542 (GWAPT) course. This item really is just about making sure my web app work neither starts nor ends this year with just this course.
• Binary exploitation / buffer overflows / reversing – I also feel inadequate when it comes to reversing, fuzzing, binary exploitation, and handling buffer overflows. This goes into my preparation for OSCE as well. I have some HTB boxes/challenges, courses, books, and a few other topics listed out behind the scenes that slot into this bullet item. This overlaps with more Python work, too.
• Bloodhound (AD mapping) – A tool I want to not only try out, but incorporate at work.
• HTB some more! RastaLabs / Offshore and POO/Endgame – I nearly got HTB out of my system this summer by hitting Omniscient with challenges and boxes. However, beyond just catching up on new boxes, HTB still has some offerings (free and paid) that I have yet to take advantage of. I’d like to. I currently have VIP access, but I’ve not decided if I will renew that next year. So this does mean I want to set aside some time to go through all of the retired boxes (along with IppSec walkthrus as needed). This platform is great to jump in and out of in bursts to keep my attacker skills from getting too rusty.
• Books – I have a list of books/ebooks that I want to consume. It’s not large, but significant enough that I wanted to put onto my goals. I have a love-hate relationship with infosec/tech books. I used to collect these far more than I do today, but the number that never really got used outweighed those that I found useful to some degree or other. I’ve trimmed my collection down about 75% over the past 5 years, but I’m slowly picking out new ones to consume that I know will either be useful references or good actual reads/lessons.
• BurpSuite – I list this here because I still want to get better with BurpSuite. I have a course identified that will help, but I imagine SEC542 will help as well.
• Python and PowerShell – I continue to yearn to get back up to speed and beyond on PowerShell and Python again. If I can take SEC573, that will certainly bring my Python comfort way up. Grabbing onto some work projects can help with these as well.
• Scapy – Scapy is something I want to learn as I pick up Python. It’s long been on my list, and I admit it’s still waiting due to lack of me needing it day to day.
• PluralSight – I normally don’t just list a subscription I have, but I wanted a reminder that I have this subscription open, and if I don’t find uses for it in 2019, I should trim that cost off.
• Home lab / Blog / Github – I have a whole list of things to do on the home lab that I won’t list (and commit to!) here, but it’s a thing on my radar. One thing this does include is cleaning up this blog a bit and using my github for more things. The main immediate item will be moving all my links on the right pane over to a github page and maintaining it there for the future.
• Leadership – From the triple threat route, the one place I have no demonstrable experience is infosec leadership (vs offense and defense). So if I have chances, I should try to tackle and succeed with project management, vendor relation, team mentoring, and presentation opportunities. I’ve long been a team leader/mentor type, but have rarely translated that into something demonstrable, visible, or upward-facing, if that makes sense.

Cons/Meetups

• SecDSM – Monthly meet-up that I always attend and will continue to do so.
• BSidesIowa – Local Bsides event that I’ve always liked. I may focus more on the CTF this year than talks, though.
• SecureIowa – This was only ok for me, but it helps that it takes place during the work week.
• Wild West Hackin’ Fest? – I’ve love to try and get to this next year. Slotting it in, but not sure yet.
• Splunk .conf 2019 – If work wants to send me to this, I’ll think about going. It’s in Las Vegas, so a little less exciting than before.
• ArcticCon? – This is a red team vetted-invite con in Minnesota. I doubt I “qualify” for an invite, since I don’t have a red team job, but I sure would love to go.
• Defcon – If I get a chance to be sent out to Black Hat USA, I’ll stay a little longer on my own dime to attend Defcon again. If not, it’s pretty unlikely I’ll go on my own.

Cert renewals

• CISSP – This is just my yearly CPE maintenance. As long as this is easy to maintain, I’ll keep it up, since I have no real reasons why I shouldn’t.

Maybe it’s because summer has given up the fight and it’s diving colder today for the weekend, but I feel ranty.

My other rant this morning is about security through obscurity. I hate seeing people say that this is bad. I mean, passwords fit into this category! The proper frame of mind is to say, “security through *only* security” is bad. I can move my SSH port to tcp 32154. Does that make SSH more secure? Not in itself. Does it make it harder to find and thus adjust my risk factor? Yes, somewhat. All those port 22 scans on the Internet will pass me up. Obscurity can certainly, and almost always is, part of one’s security posture.

Also, I hate when people say, “I could care less.” Well, that means you could in fact care less, which means you care. You mean to say, “I couldn’t care less.”

*curmudgeonly sounds*

(This post is going to sound exceedingly pessimistic about us humans. It’s purposely slanted a bit to make some points, but also to let me rant just a bit.)

I just got done reading a rather large post elsewhere about information security training. And it was long, and detailed, and probably more detailed than anyone actually does, anywhere, without multiple full-time staff dedicated just to training.

Which brought me to the question: why do I take a slightly more pessimistic view of security awareness training? I like awareness training, but I put more emphasis on actual technology controls, than I do trusting people to do the right thing. I’ll trust, but I’ll verify. I’ll say security awareness training is necessary, but I won’t say it’s one of my key tenets I lean on to provide security or one of the most important things one can do in the business to improve security.

To me, training has a few achievable goals (this probably isn’t my exhaustive list, just a quick one):

1. checkbox. Let’s face it, requirements are a driver.
2. education on process – Make sure everyone knows how to deal with incidents or questions. Know to dial 911.
3. education on best practices – Enough knowledge to have a chance to make the correct decisions.
4. education on bottom-line performers – Provide education to those who truly didn’t know these things.
5. education about controls – What they are, why they’re in place, how they help. How to work with them instead of against them.
6. education about things too nuanced for actual controls (lots of social engineering falls here, and this is the elephant in this post).

That makes it sound like I want to deliver lowest denominator training, but that’s not true. I actually think training should challenge the audience a little bit, and make sure it improves knowledge, rather than baseline it. I prefer trainings that add value, even a little bit, to the audience, rather than “yet again” going over the same ol’ bullet points. I want people to learn something and not feel talked down to. One of the main problems is such learning can get into technical weeds pretty quickly. Questions like, “Well, why is this password weak?” or “What do you suggest to be more secure at home?” get deep very quickly, if you’re not careful and empathetic to the audience. Also, random attendance can mean you get non-technical folks in with the developers, and those developers love to ask questions about password complexity, because it’s arguable and there’s no real good right answer, which muddies the experience.

But, why do I get pessimistic about awareness training? For the same reasons I think people suck when they make risk decisions while driving. Unless there are radar detectors or tickets waiting around a corner, many drivers will drive at a speed that matches their own desires and risk tolerance; which often seem to be 5-15 mph over the posted speed limit, but sometimes more. Let’s just say 30% push this boundary marker on any given road.

These are the same people in the business as are on the road. And in the business, they have their own goals and things to get done for their job, boss, and customers. In fact, I would guess that 30% of employees will do whatever they need to do to get their jobs done efficiently, even if that runs contrary to security policies, as long as they’re not outright prevented. Need to trade a document with a client, but the client balked at the clunky “email encryption” solution you utilize? It’ll be ok to use Dropbox this one time. Email is too clunky? It’ll be ok to use Messenger on my phone. I need to work on this highly confidential document at home this weekend and I don’t want to bother VPNing in? It’s ok this one time to put it on my personal USB stick.

People will do what they can get away with if it is in their best interests. People are innovative, creative, selfish, and usually pretty passionate and determined. None of that should imply malicious, but there are malicious actors lurking as well.

This means you need to pair up education with technological controls. Actually stop the unwanted behavior as much as possible, or detect/alert and provide feedback when it occurs. And educate about those controls and why they are in place. It also means that breaking security policies should cost users more than they gain, making it actually in their best interest to follow the policies.

Education goes so far. You can post signs about children at play, school zones, speed zones, and even radar detection enforcement. But you have to have controls in place that properly detect, prevent, stop, and penalize unwanted activity if you truly want to reduce and change behavior.

I do think people generally want to do the right thing, but that often slides to the side when someone needs to get something done.

If a control impedes business or seems like it stifles innovation or “getting the job done,” then it needs to be discussed and the reason why such controls are needed. This way alternative solutions can be identified and tried out, rather than users crying about security and security crying about users. Both sides need to know the lines, the controls, and where the business itself wants to draw them.

A thread recently came up on TechExams.net forum about the order one got their certifications and which ones helped their career or were unnecessary. I typically don’t try to regurgitate my life story in random places, but I liked the question enough to ruminate on it a little bit. My certification path is a “stop and start” type and requires a few extra timeline points to explain some things.

~1998/1999 – Started blogging – Just a personal milestone for me.

2001 – MIS 4-year degree – A career milestone. I may have felt a little obligated to get this; I mean, after high school, you go to college, right?

2001 – Found a deep interest in information security – Several factors came together to this realization (writing a gaming site post about finding a career by using your PC gaming skills and getting into Linux distros, for instance), but the singular event that really informed me was picking up a random thick book from Barnes & Noble in my earliest efforts to keep learning after school: Hack Attacks Revealed by John Chirillo. The knowledge and attack/defense tools stoked a fire that will not be going away.

~2001/2002 – Started blogging about tech/security & first vanity domain – At some point, I started blogging regularly about tech stuff and security topics, mostly just interesting links and tools. Many of these posts are either lost or buried in another data file backup somewhere along with personal blog postings. After leaving school and leaving their nice hosting, I also picked up my first vanity domain.

2002 – First “real” job – Basically, the real start of my career!

2002-2006 – Lull #1 – My 4 years at this job marked two things. First, I learned an absolute ton and had an absolute blast doing it. I grew by leaps and bounds during this period. Which probably is the reason this period is also marked by no formal learning of certification. I was underpaid by a company that also wouldn’t pay for training, but I didn’t much mind it since I was learning so much on the job. So, this was my first lull in learning, but it didn’t really feel like it. I have a strong nostalgia factor from these years of my career, work- and enthusiasm-wise.

2006 – Security+ – A job change later and I wanted to demonstrate my interest in security better. Before LinkedIn, you really only had in-person networking and your resume to demonstrate security acumen. If your job title was generic, but you managed security devices, it was difficult to show it. Also, I wanted to learn more. Security+ worked great for this. Spent personal time studying books and passed the exam. At the time, this was also a lifetime cert, which was a bonus I wouldn’t understand at the time.

2006 – terminal23.net domain – At this point, my technical blogging eclipsed my personal stuff in both effort and frequency, so I separated them with a second vanity domain. I took some effort to pull old technical posts into this blog, but some much older stuff I wouldn’t bother with.

2009 – CISSP – I also pursued this one on my personal time using self-study books. I would happily pass on my first attempt. Even at this time, there were threads of CISSPs being derided for not actually knowing anything (one guy at my testing center that I talked to was a sales guy on his third attempt, because it was required for his sales position…), but there was and probably still is no better certification to demonstrate interest in and at least some wisdom about security. In fact, this cert probably opened the most doors and got me the most recruiter attention of anything else I’ve picked up, by far. It’s definitely a gateway cert, and I think everyone in security should at least have this on their roadmap. Sure, you can skip it if you have good demonstrable security work and/or good networking, but for most of us, this makes a statement itself. Even now, almost 10 years later, I’m not sure when I will burn it or let it lapse… On the down side, I didn’t get a raise for this, paid for it myself, and didn’t use it to springboard into another job. Maybe a wasted opportunity for me, but I like where I am today for it.

2009-2017 – Lull #2 – During this period, I grew quite a bit with my skills during work hours, but for the most part, I did not pursue any formal education. I signed up for the PWK/OSCP (PWB at the time) cert, but work threw me, well…work, and I didn’t have the time to devote to it, so I let it slide. It didn’t help that my company did not really budget for training nor encourage it; in fact, I had a manager whose teams always seemed to stagnate and work behind the times with old tech/code/habits. I wouldn’t say I coasted during this period, but I was very comfortable and my days were filled with work at a manageable pace.

2017 – OSCP – Finally started getting that bug to get better jobs and re-find my enthusiasm and learning passion that I had in my first “lull” and early years. I decided to pursue the OSCP again on my own time and dime, and achieved it after about 4 grueling months. Of all of my certs so far, this one gave me the most street cred, and for hiring managers who know it, it definitely gets their attention. Particularly the 24-hour exam.

2017 – OSWP – I knew I wanted to keep learning, and I remember the hey-days of war-driving and backtrack wireless cracking, so I wanted to revisit those activities with what I knew was a much lighter cert in the OSWP. Took about 2-3 fairly casual weeks from start to finish. Really enjoyed it, and left me hungry for more.

2018 – CCNA Cyber Ops – I don’t remember how I learned about this, but Cisco basically gave out free training and certification exams for lots of people who already had various industry certs, so I got this certification for free, though I did have to devote plenty of personal time to get it. This didn’t improve my resume at all, but I did like the experience. And I have to be honest, while I kept up with security blogging over many years, from about 2015-2016 I got a little out of touch with the security industry. And taking the Cyber Ops course filled in some gaps of new ideas and things like “threat hunting” and the “cyber kill chain” and “diamond models” which had been basically introduced at the time. Ultimately, this course pursuit got me back up to speed of the buzzwords of a SOC. Unless Cisco builds something compelling around it, I don’t plan to renew this one.

2018 – GCFA – For me, this is the first time in my career I’ve had corporate backing for education, and also marks a culmination of the next part of my career where I have strong, specific goals for growth. Also, a point where I stepped just slightly outside my comfort zone to formally learn something new that I identified as a weak spot.

Footnote
One thing I will notice in my timeline compared to some other postings in that thread is how some people earn certs and are immediately rewarded with it leading to a new job or a raise of some sort. But, my timeline has almost none of that; many of my certs were earned and I would not say they directly led to a future job. Maybe a few interviews, but certainly not in the same calendar year as the cert was earned. I’ve also had the luxury of not having jobs that required extra study.

I also noticed that I never had (until this year) company or managerial backing for growth like this, and I also never had peers or colleagues who pursued certs or further formal education. That certainly makes a difference, as I do become influence by those around me, as most do. I had to find the effort to self-start, most of the time.

There’s really no way to say it without sounding conceited, but all of my certs came from my own motivation and my own desire to learn and/or demonstrate knowledge in security. That’s not any less or more than other reasons to get certs, but I found that enlightening for me. It also helps illustrate what makes me happy, what drives my passion for this industry, and informs my plans for the future.

Proof of execution in forensics is a fun topic, but it becomes a bit tedious to keep track of all the different places to look in various versions of Windows. So I wanted to quickly save a link out to this table from Adam Harrison (1234n6).